Upgrade to Pro — share decks privately, control downloads, hide ads and more …

«Тестирование безопасности GraphQL», Егор Богомолов, Wallarm

47a3212bc9721c62f1135ead56569f17?s=47 OWASP Moscow
December 06, 2019

«Тестирование безопасности GraphQL», Егор Богомолов, Wallarm

Видео https://www.youtube.com/watch?v=cb_Hc6GTi5A

Встреча Московского отделения OWASP, 6.12.2019 (https://www.meetup.com/OWASP-Moscow/events/266925142/)


OWASP Moscow

December 06, 2019

More Decks by OWASP Moscow

Other Decks in Programming


  1. Тестирование безопасности GraphQL API Богомолов Егор

  2. Intro

  3. Intro • GraphQL • Features • Instruments • Something new

  4. GraphQL

  5. GraphQL GraphQL is a query language for API

  6. Features

  7. Features (security features) • Introspection • Query Complexity • Query

    Depth • Injection via resolver
  8. Instruments

  9. Instruments Prints the GraphQL schema SDL from a GraphQL schema

    JSON introspection: Link: https://github.com/potatosalad/graphql-introspection-json-to-sdl Generate queries from GraphQL schema: Link: https://github.com/timqian/gql-generator A beautiful feature-rich GraphQL Client for all platforms: Link: https://altair.sirmuel.design/ Graphqler (Helps in security testing GraphQL applications): Link: https://github.com/sorokinpf/graphqler
  10. Something new

  11. GraphQL Batching Attack GraphQL is designed in a way that

    allows you to write clean code on the server, where every field on every type has a focused single-purpose function for resolving that value. However without additional consideration, a naive GraphQL service could be very "chatty" or repeatedly load data from your databases. This is commonly solved by a batching technique, where multiple requests for data from a backend are collected over a short period of time and then dispatched in a single request to an underlying database or microservice by using a tool like Facebook's DataLoader.
  12. GraphQL Batching Attack Normal and Serial Execution Link: https://graphql.github.io/graphql-spec/June 2018/#sec-Normal-and-Serial-Execution

    For Queries? For Mutations?
  13. 1 2 3 What’s the problem? Not all implementations follow

    the specification It gives you the opportunity to bypass information security systems Some operations must set a hit limit
  14. Example 1

  15. Example 2

  16. Outro

  17. Спасибо за внимание! Tg: @empty_jack E-Mail: jack@wallarm.com